E-Sports League Stuffed Bitcoin Mining Code Inside Client Software

← Back to Stories (view on slashdot.org)

E-Sports League Stuffed Bitcoin Mining Code Inside Client Software

Posted by Soulskill on Wednesday May 1, 2013 @09:08AM from the not-how-you-do-it dept.

hypnosec writes "The E-Sports Entertainment Association (ESEA) gaming league has admitted to embedding Bitcoin mining code inside the league's client software. It began as an April Fools' Day joke idea, but the code ended up mining as many as 29 Bitcoins, worth over $3,700, for ESEA in a span of two weeks. According to Eric Thunberg, one of the league's administrators, the mining code was included as early as April. Tests were run for a few days, after which they 'decided it wasn't worth the potential drama, and pulled the plug, or so we thought.' The code was discovered by users after they noticed that their GPUs were working away with unusually high loads over the past two weeks. After users started posting on the ESEA forums about discovery of the Bitcoin mining code, Thunberg acknowledged the existence of a problem – a mistake caused a server restart to enable it for all idle users." ESEA posted an apology and offered a free month of their Premium service to all players affected by the mining. They've also provided data dumps of the Bitcoin addresses involved and donated double the USD monetary value of the mined coins to the American Cancer Society.

46 of 223 comments (clear)

Min score:

Reason:

Sort:

Sounds handled fairly well by magarity · 2013-05-01 09:15 · Score: 4, Insightful

Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.
1. Re:Sounds handled fairly well by Anonymous Coward · 2013-05-01 09:30 · Score: 4, Insightful
  
  Absolutely not, for an organization that is striving for legitimacy this is an extreme breach of trust.
2. Re:Sounds handled fairly well by girlintraining · 2013-05-01 09:49 · Score: 5, Insightful
  
  Sure, it was rather poor form to have started on this project, even as a joke, but it seems they've fessed up and handled it well.
  ... After they were caught with their hand in the cookie jar, yes. Meanwhile, were I, a non-corporation, to do something like this, the FBI would be coming through my door with a bunch of dudes with shotguns for an enhanced "interview" over my connections to terrorism, money laundering, etc.
  So, my question is... whether intentional or accidental, it happened. That means it's a crime. So... where is the charge sheet, mmm?
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:Sounds handled fairly well by Anonymous Coward · 2013-05-01 09:53 · Score: 4, Insightful
  
  Absolutely not, for an organization that is striving for legitimacy this is an extreme breach of trust.
  So admitting wrongdoing, giving credit, and donating the money to a nonprofit is an "Extreme breach of trust"?
  How do you figure that?
4. Re:Sounds handled fairly well by fredprado · 2013-05-01 10:10 · Score: 4, Interesting
  
  What the GP said still stands. If he, as a person and not a corporation had done exactly that, admitting it, and donating the results would fall very short from freeing his ass from prosecution. He would more likely than not end in jail.
5. Re:Sounds handled fairly well by girlintraining · 2013-05-01 10:12 · Score: 5, Funny
  
  What the GP said still stands. If he, as a person and not a corporation had done exactly that, admitting it, and donating the results would fall very short from freeing his ass from prosecution. He would more likely than not end in jail.
  Shhh... don't spoil it. I'm enjoying the slashdotters trying to rage against overbearing police authority and misunderstanding technology ... while at the same time having to balance out corporate versus private individual rights, and for the bonus round it's something that ties directly in with their online privacy. I got some popcorn, wanna share? This is gonna be good...
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:Sounds handled fairly well by Anonymous Coward · 2013-05-01 10:14 · Score: 5, Insightful
  
  I figure that because it happened in the first place, which is completely inexcusable. What were they thinking? What's to say it won't happen again? You know that old saying from Tennessee, well, from Texas, but probably from Tennessee too: fool me once, shame on, hmm, shame on you, fool me... well, you can't get fooled again.
7. Re:Sounds handled fairly well by Goaway · 2013-05-01 10:28 · Score: 5, Insightful
  
  They hardly "admitted wrongdoing". They made up absurd stories about how it was all an April Fool's joke, and lied about how long it had been active and how much money they had made.
  (Consider this: Which part of this "April Fool's joke" was supposed to actually be FUNNY? It was installed in secret. If it was hidden from you, how were you supposed to laugh at it?)
8. Re:Sounds handled fairly well by timmyf2371 · 2013-05-01 10:41 · Score: 2
  
  What they did was a mistake and it was wrong to do so. But are we sure it's actually a crime?
  Looking at the facts:-
  - ESEA released software which people downloaded and willingly installed so it would be a big stretch to call it a bot net.
  - The software did what it said on the tin but it also did something else without advertising this fact to the users.
  - What it was doing is probably only relevant if mining bitcoins was illegal anyway.
  So what makes ESEA's software any different from operating systems which run processes in the background without explicitly stating which processes these are? What is the difference compared to some of the TV catch up services (e.g. Sky catch-up and BBC iPlayer) which use P2P to offload bandwidth usage from the providers onto the users of the software?
  IANAL etc but I'm genuinely interested to understand what law might have been broken here and whether there is any legal precedent.
  
  --
  
  Backup not found: (A)bort (R)etry (P)anic
9. Re:Sounds handled fairly well by IndustrialComplex · 2013-05-01 10:59 · Score: 4, Insightful
  
  Yeah, it shouldn't be illegal to rob a bank if you give the money back... right?
  There is a problem with your post. They didn't rob a bank. So it's not like that at all.
  
  --
  Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
10. Re:Sounds handled fairly well by Dunbal · 2013-05-01 11:17 · Score: 5, Insightful
  
  We're also supposed to take them at their word that only 29 bitcoins were mined. Sure they provided the dumps. How much are they holding back?
  
  --
  Seven puppies were harmed during the making of this post.
11. Re:Sounds handled fairly well by Hatta · 2013-05-01 11:40 · Score: 5, Funny
  
  Consider this: Which part of this "April Fool's joke" was supposed to actually be FUNNY?
  I ask myself that every time I visit /. on April 1st.
  
  --
  Give me Classic Slashdot or give me death!
12. Re:Sounds handled fairly well by dantotheman · 2013-05-01 12:16 · Score: 2
  
  You forgot to run that through ROT13 first. FTFY: V nfx zlfrys gung rirel gvzr V ivfvg /. ba Ncevy 1fg.
13. Re:Sounds handled fairly well by Khyber · 2013-05-01 13:46 · Score: 2
  
  "The software did what it said on the tin but it also did something else without advertising this fact to the users."
  And I sued the fuck out of EA for the EXACT SAME THING.
  Looks like ESEA needs a visit from my legal team.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
14. Re:Sounds handled fairly well by Anonymous Coward · 2013-05-01 13:56 · Score: 4, Insightful
  
  They're making amends for getting caught. Consider: "Tests were run for a few days, after which they 'decided it wasn't worth the potential drama."
  They intentionally included the code. They were planning on continuing. The only reason they stopped is that the cons (user backlash, possible lawsuits) outweighed the pros (making money off of suckers). If their mining operation had been successful enough, they'd still be doing it now.
  Hell, even EA didn't hide the contents of their games. People buying the new SimCity knew it would be online only (and to a lesser degree people buying Dead Space 3 knew it would have microtransactions) and still bought it knowing they would be unhappy. The real shitstorm happened because EA didn't do enough QA or server stability tests, and it continues with in-game advertising. So, yes, there is a difference. EA committed gross ineptitude. ESEA committed borderline fraud. But, trust who you will with your credit.
15. Re:Sounds handled fairly well by lorenlal · 2013-05-01 14:53 · Score: 2
  
  And the point that GP, and up are trying to make is... Yup, they're apologizing for getting caught. Unlike most non-apologies, at least some good is coming out of it, and they're at least putting up a good show to show they're sorry.
  That's better than the vast majority of non-apologies, and they're at least acknowledging that their image is important enough to them to try to make some amends.
  I'm sure you paid all those speeding tickets that you could've been cited for, so I should just leave well enough alone.
16. Re:Sounds handled fairly well by IndustrialComplex · 2013-05-02 00:23 · Score: 4, Insightful
  
  No, because this was not a bank robbery.
  You might as well say, "Because it's bad to damage streetlights, but fine to set fires?" The robbing a bank analogy just doesn't need to be applied because the situation doesn't require an analogy. Everyone on this site is capable of understanding the technical details of what they did, we don't need to obfuscate the problem by unnecessarily applying analogies.
  Besides, it didn't even TRY to include a car.
  
  --
  Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
17. Re:Sounds handled fairly well by Anonymous Coward · 2013-05-02 01:51 · Score: 2, Insightful
  
  I ask myself that every time I visit /. on April 1st.
  Exactly! April 1st is "Don't Read Slashdot Day".
18. Re:Sounds handled fairly well by HungryMonkey · 2013-05-02 01:54 · Score: 2
  
  I figure that because it happened in the first place, which is completely inexcusable. What were they thinking?
  
  The latest release from ESEA covers this. It was initially beta tested with client approval, then they decided against moving forward.
  
  With the whole fervor around Bitcoin, we did conduct some internal tests with the Client on only two of our own, consenting administratorsâ(TM) accounts to see how the mining process worked and determine whether it was a feature that we might want to add in the future. We thought this might be an exciting new tool that we could provide to our community. Ultimately, we decided that it was not. On April 13, 2013, after the initial tests, ESEA informed those involved in the test that we were killing the project and they should stop using the beta test. It came to our attention last night, however, that an employee who was involved in the test has been using the test code for his own personal gain since April 13, 2013...
Computer Trespass by Peter+Mork · 2013-05-01 09:16 · Score: 5, Insightful

This sounds an awful lot like computer trespass: coercing somebody else's computer into doing something on your behalf. If an individual pulled this stunt, he or she would be in prison.
1. Re:Computer Trespass by ThorGod · 2013-05-01 09:21 · Score: 5, Insightful
  
  Yep, but instead the company involve just pays a fine. That's the only way companies pay for crimes...with dollars.
  Even if you're BP and you severely damage one of the world's oceans and kill an uncountable amount of wildlife and destroy whole ecosystems.
  
  --
  PS: I don't reply to ACs.
2. Re:Computer Trespass by Anubis+IV · 2013-05-01 09:27 · Score: 4, Interesting
  
  Probably so. Of course, the question this begs, at least in my mind, is not one of, "Why aren't these people in prison?", but rather, "Why does anyone go to prison over something so innocuous?"
  Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.
3. Re:Computer Trespass by lgw · 2013-05-01 09:29 · Score: 5, Funny
  
  See, BPs big mistake was to put out the fire. As everyone knows:
  Birds soaked in oil: evil
  Birds fried in boiling oil : tasty!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
4. Re:Computer Trespass by Anubis+IV · 2013-05-01 10:05 · Score: 2
  
  Your analogy would suggest that they broke into these computers. Quite the contrary. A better analogy might be that you invited me into your car (i.e. willingly downloaded the software), and I left behind a magnet that would pick up any loose change you dropped, but then I later thought better of it, let you know what I had done, and tried my best to make reparations.
  Again, innocuous.
5. Re:Computer Trespass by fredprado · 2013-05-01 10:16 · Score: 3, Informative
  
  Nah, a better analogy is, you hired me to change your tires, and I decided to put stuff in your car and copy your car lock to be able to access it and get my stuff whenever I wanted. Then when you found out I had copied the car keys I apologized and donated the results of my endeavor to a charity.
  
  Analogies are always wrong in the end, but wrong as it may be mine is still a lot better than yours.
6. Re:Computer Trespass by arkhan_jg · 2013-05-01 10:48 · Score: 5, Interesting
  
  Probably so. Of course, the question this begs, at least in my mind, is not one of, "Why aren't these people in prison?", but rather, "Why does anyone go to prison over something so innocuous?"
  Granted, you can definitely engage in forms of trespass that are much worse than this, but for something like this situation, which was promptly handled, had no major ill effects, and was responded to in a way that indicates it truly was a mistake, I don't see why anyone should be up for prison time, whether as an individual or a part of a company.
  Leaving it running for at least 2 weeks is not exactly promptly in my book. Even putting it in the release code disabled, without notification, is shady as hell. The forums are apparently riddled with complaints about gpu problems, including dead graphics cards on machines running the bitcoin software. While it's entirely possible it's pure co-incidence, it's also entirely possible they damaged thousands of dollars worth of high end graphics cards - which given they can easily cost $500 a pop, wouldn't take many. Consumer grade GPUs aren't designed to run full throttle for weeks at a time. Especially if, for example, a gamer has a manual fan control so they can shut up the half dozen case fans when idling, and ramp them up when they start a gaming session (I use this exact setup). A couple of generations back, I fitted after market copper heatsinks and fans to my GPUs to improve cooling at lower fan speeds, but the downside was they had to be manually controlled via a rheostat, so if something like this had been running without my knowledge it could easily have literally cooked my gpus without me being any the wiser as I ramped them down when to cut noise I was just browsing slashdot et al. Those cards are still trucking in a friend's machine several years later, incidentially.
  Criminal damage in the course of trespass for profit? Seriously bad judgement, and really not funny. Worth jail time? No. Worth some real consequences? Yes.
  
  --
  Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
7. Re:Computer Trespass by IndustrialComplex · 2013-05-01 11:11 · Score: 2
  
  But they are ignoring the costs of the clean-up. Every single user that had their system compromised like that needs to check everything from scratch to verify that the sports league software didn't compromise their systems in any other ways.
  I'm sorry, but no. You could apply the same logic to any other piece of software that was ever installed on any system ever. Unless you verified every line of code, how can you be sure that there wasn't some reused code from another project which had unwanted, but unnoticed behavior? Do you realize how often even unintentional backdoors are discovered in software because pieces were (often lazily) included from other working pieces?
  I'm sorry, but the instant you install ANY software that you didn't write yourself, or verify line-by-line, you cannot be certain that your system isn't compromised.
  
  --
  Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
8. Re: Computer Trespass by Anubis+IV · 2013-05-01 11:17 · Score: 2
  
  That's nice and all for the law, but as I pointed out with my first post in this thread, the question is not one of applying the law, but rather of why the law is what it is. I'd certainly agree that the law should be applied evenly both to corporations and individuals, but I'd also suggest that the law is providing an excessive punishment in cases such as these, and that it should be changed to something that better fits the nature of the crime. For instance, reparations to the victims and a fine, rather than jail time.
  And, once again, that would apply to individuals as well.
9. Re:Computer Trespass by IndustrialComplex · 2013-05-01 11:19 · Score: 2
  
  Here's a better analogy:
  They included some code in their software that intentionally performed unnecessary calculations.
  
  --
  Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
10. Re:Computer Trespass by Lakitu · 2013-05-01 14:22 · Score: 2
  
  Laws are prescriptive: they must be written and agreed upon beforehand. You cannot be punished for doing something which only becomes illegal after the fact.
  Punishments for breaking laws generally provide for a range in sentencing, giving the judicial system some leeway in case the "crime" actually was something rather innocuous or unintentional. If you think the range of sentencing doesn't quite fit the magnitude of the crimes, then you believe the law should be changed. This also needs to be pre-scribed.
  If the range of sentencing for crimes is decided right after it is committed, or if it can be nullified immediately, then there isn't much of a judicial system at all. It's just a mob.
11. Re: Computer Trespass by Drakonblayde · 2013-05-01 18:19 · Score: 2
  
  Pretty simple, he likely cut a deal with the employer to turn over all information regarded to the activity to avoid prosecution from the company itself.
  As an example, years ago, I worked for a hardware reseller. The guy who processed our RMA's was using the company to supply his ebay business. Since he was the one handling replacements, when he went into the cage where the expensive stuff was held, no one gave it a second thought.
  He got greedy and sold off 20 grand of inventory, which was enough to trip an internal investigation. In order to avoid prosecution, he cut a deal with the company to turn over all the records for his side business and resign his position.
12. Re:Computer Trespass by whoever57 · 2013-05-01 19:13 · Score: 3, Insightful
  
  Modifying your analogy a little:
  You took your car to a repair shop. The repair shop used your car as a taxi for a day (using your gas and adding miles to your car).
  
  --
  The real "Libtards" are the Libertarians!
the clear takeaway by Anonymous Coward · 2013-05-01 09:16 · Score: 2, Funny

It's OK to add secret bit-mining code to client software as long as you do it on April 1.
Computer hacking... by aaronb1138 · 2013-05-01 09:20 · Score: 5, Informative

I advocate the involved parties all be arrested and charged with relevant computer hacking charges. The software development community needs a clear message sent that such activities are federal crimes and will not be allowed. I don't understand why we are still tolerating a Wild Wild West attitude to computer crimes by corporations when the laws are on the books and quite clear.

Also, trying to pass it off as merely an April fools joke is insulting as well. The closest part to a joke was the Office Space grade conversation about skimming from their own customer base.
1. Re:Computer hacking... by Anonymous Coward · 2013-05-01 09:32 · Score: 3, Insightful
  
  The laws on the books aren't as clear as you think. "Hey, I didn't ask to mine BitCoins for someone else - what gives?!" is a logical user position, but I'm sure the license agreement that user agreed to upon installing basically gave them carte blanche to do whatever they wanted with his/her computer.
  Which would hold up in court - and are you sure enough to foot the bill for representation until (and possibly even if) you prevail?
  I'm not. I agree with you in spirit, but in this case their response was pretty classy.
2. Re:Computer hacking... by NIK282000 · 2013-05-01 09:36 · Score: 4, Interesting
  
  I think it sounds like a pretty awesome business plan if you are not underhanded about it. Release your software for free with a note in he TOS that you will be mining bitcoins for the developer whenever you are using the software. Users get "free" software and developers get incentive to make software that people want to use. If you release rubbish not many people will continue to use it and you won't get paid.
  
  --
  Dear aunt, let's set so double the killer delete select all
Re:What does... by Tynin · 2013-05-01 09:33 · Score: 2

..."They've also provided data dumps of the Bitcoin addresses involved" mean?
I'm not up on bitcoin minutia. If these d-bags were running miners, that means that they own the coins... their wallet. So, what addresses do they mean? Specific coin IDs?
Yes, they went to a wallet that the ESEA owned. In your wallet, you can setup numerous addresses that you can give to unique miners so you can see how many bitcoins specific miners are brining in. You can also just use a single address to have all of your bitcoins sent to. Either way, they'd all end up in the same wallet. As an example, here is the address I used when I first tried mining on a pool, you can use it to see how much I bothered to get from this specific pool.

1AiyVX1Ag87gar9E3oWb3QEziUHvDBRHax
April Fools? Sure thing... by h8mx · 2013-05-01 09:51 · Score: 5, Insightful

It began as an April Fools' Day joke idea
How exactly does that work?
"We were using your electricity and potentially damaging your computer for a whole month without your permission! APRIL FOOLS! Ha we got you good!"
This fiasco begs a question. by bdwoolman · 2013-05-01 09:57 · Score: 2

If a developer was up front about a distributed bitcoin mining scheme being baked into their software, Would some people go for it as an option to amortize, or even pay for, some useful application? Is anybody doing this already? I am wondering about the economics of this. How much does it cost per hour of mining on a modern reasonably energy efficient x86 box?

--
"No fear. No envy. No meanness." Liam Clancy
Re:How much? by Guspaz · 2013-05-01 10:01 · Score: 4, Informative

Sure they are (making money). It's estimated that Satoshi Nakamoto (the anonymous inventor of BitCoin) got somewhere between one to one and a half million bitcoins in the early days, when they were very easy to generate (see the "total bitcoins" graph on wikipedia). Assuming he hasn't sold them off at some point in the past, they're currently worth somewhere between $120 million USD and $180 million USD. That's a pretty tidy profit for one person.
Don't forget the human victims by dutchwhizzman · 2013-05-01 10:12 · Score: 4, Insightful

Several people died in the explosions on the drilling rig. However (un)important the damage to the economy and the wildlife is, no human being gets away with killing someone and getting convicted to "only a fine", but a company like BP does.

--
I was promised a flying car. Where is my flying car?
1. Re:Don't forget the human victims by dcollins117 · 2013-05-01 13:51 · Score: 2
  
  Or gross negligence.
  I vote gross negligence. The West Fertilizer plant failed to notify the DHS of it' ammonium nitrate stockpiles. It is required to do under the Chemical Facility Anti-Terrorism Standards Act. They are not out of the woods by any means, someone is going to be held accountable.
Re:How much? by joh · 2013-05-01 10:35 · Score: 3, Interesting

The spooky thing about that is: There is a limited amount of Bitcoins that will ever exist and new ones are getting more and more expensive to mine. This means that if Bitcoin ever will take off every single one of them would get more and more expensive. Bitcoin will top out at 21 million bitcoins. If you have one million bitcoins you will own about 5 percent of everything that can be bought with it. As in: If Bitcoin would become THE world currency at some point you would own 5 percent of the world. Of course even owning one bitcoin would make you stinking rich then.
Re:Website with TOS? by Shompol · 2013-05-01 12:03 · Score: 3, Interesting

TOS:
...
279. By visiting this page you explicitly grant permission for our page scripts to run, regadless of the purpose, on your machine.

There. Any responsibility avoided. Furthermore, lately they are trying to push laws in the US that braking TOS is a federal offence, so blocking the "agreed-upon" scripts makes YOU a criminal!!
Sounds handled fairly well? WTF? by csumpi · 2013-05-01 12:37 · Score: 2

How is this different than installing some trojan botnet app that does ddos attacks or steals your credit card number? They stole money from users by using electricity to mine bitcoins. Handled well? Not until their asses are thrown in jail.
Re:And thats a lawsuit... by Khyber · 2013-05-01 14:00 · Score: 2

Yea, really. I sued EA for pretty much this exact same thing, except the hidden unmentioned software was SecuROM and it fucked with my GPU to where it would no longer recognize my 32" LCD as a 16:9 1080p monitor. A windows install didn't repair it, a re-flashing of the firmware fixed it, about a year after the lawsuit got settled.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.